← Back to team overview

mahara-contributors team mailing list archive

  1. mahara-contributors team
  2. Mailing list archive
  3. Message #31474

[Bug 1340151] Re: Consider a different approach to libxml_disable_entity_loader(true) in init.php

  Thread PreviousDate PreviousThread Next 
Okay, fixed a couple problems in the code, so that now we always set the
state of libxml_disable_entity_loader() back to what it was initially,
unless the script crashes unexpectedly before we can do that.

Now it passes my tests. The state of the entity loader remains the same
before and after running a Mahara script. If anyone wants to try to
replicate my tests using my script from comment 11, here's the stops:

1. Have an affected PHP version installed (you can do php -v at the
commandline, or run phpinfo() in a web script, to check this). See
comment 8 for affected versions.

2. Copy my test script into a file called "test.php", and put it into
your web root.

3. Restart Apache.

4. Load up my test.php script in your web browser. Reload it a few
times. Note what it says (it will probably be "false" every time).

5. Install Mahara

6. Export a Leap2a archive from Mahara

7. Load up test.php again, and see what it says now. Refresh it a dozen
or so times in case your Apache is using multiple workers or threads.

Expected result: The value you get from test.php in step 7 should be the
same as the value you got in step 4.

Actual result (before patch): The value you got from test.php in step 7
was always "true".

As a further test you can alter test.php so that it leaves the the
entity loader set to "true". Then revert it back to its original state
that merely checks the state of the entity loader. You should now find
that reloading test.php always shows "true". Now try running a Leap2a
export from Mahara again, and then load up test.php after. It should
again continue to show "true". Mahara should not have changed the
current setting of libxml_disable_entity_loader().

Cheers,
Aaron

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1340151

Title:
  Consider a different approach to libxml_disable_entity_loader(true) in
  init.php

Status in Mahara:
  In Progress
Status in Mahara 1.10 series:
  Confirmed
Status in Mahara 1.9 series:
  Won't Fix
Status in Mahara 15.04 series:
  Confirmed
Status in Mahara 15.10 series:
  Confirmed
Status in Mahara 16.04 series:
  In Progress

Bug description:
  Unfortunately it seems like using libxml_disable_entity_loader(true)
  in init.php is unkind to other applications living on the same system.

  PHP Bug https://bugs.php.net/bug.php?id=64938 is the heart of the
  problem  - the use of this setting leaks between different threads and
  by setting it for the duration of every single Mahara request this bug
  comes into play much more easily.

  The other problem is https://bugs.php.net/bug.php?id=62577 which means
  that  simplexml_load_file() will not even load *local* files off disk.
  For example, this would break in Mahara even though no entities come
  into play:

  $xml = simplexml_load_file(get_config('libroot').'/db/install.xml');

  In Moodle we've been warned on one of our issues that users have seen
  this problem in the wild with Mahara, I didn't find an issue reported
  to you about it, so i'll copy and paste the report from our tracker
  here:

  "We had experience with this problem on an upgrade to Mahara 1.7, when
  https://bugs.launchpad.net/mahara/+bug/1047111 was fixed. The approach
  was the same as is suggested in this ticket. This caused seemingly
  random failures in Moodle (which is run on the same webserver)
  whenever there was usage of Mahara. The root cause was not obvious,
  nor well advertised with the Mahara fix, so it took awhile to finally
  implement a fix. In the meantime, significant functionality is broken.
  Unfortunately, there's really no way around this unless you switch
  from using mod_php."

  Yesterday whilst debugging some code with Yuliya we realised she also
  was encountering this horrible combination of bugs affecting her
  Moodle install so it seems this is not a theoretical problem.

  In Moodle we have decided to use the same approach of many other projects and enable/disable the loader around vulnerable code to reduce the chance of this combination of bugs affecting other applications or uses of the the simplexml_load_file:
  http://cgit.drupalcode.org/drupal/commit/?id=b912710
  https://github.com/symfony/symfony/blob/8ef8a1d289a6ce454b7c79baeddbfb45e4af6191/src/Symfony/Component/Config/Util/XmlUtils.php#L41
  http://www.mediawiki.org/wiki/XML_External_Entity_Processing

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1340151/+subscriptions

References

  Thread PreviousDate PreviousThread Next